Oliver Deakin wrote:
Endre Stølsvik wrote:
Envision a server that's booting up.
Playing the devils advocate here, assuming that no network activity
happened before our java process started, what's really random with
those three "seeds"?
Oliver Deakin wrote:
I found that, although fairly simple, this produced a good variety of
seeds.
On a system that's already running, it might. On a system that is
starting up, there will be _no_ variety in those three variables
except for the time, and that isn't really "variable" either!
Actually when I tested these values I launched the VM separately for
every run, so at least for the process time (and obviously system clock)
it was as if the system was starting up every time.
Not really - lots of other processes are then running, and you thus have
some unpredictable elements in regard to _when you_ hit enter as opposed
to which other processes are in the run queue, where they are, state,
kernel threading, timeslices and pre-empting of processes, and whatnot.
How many times did you run your "reboot"?
Here's what I actually stated: Stick the JVM startup in a /etc/rc2.d/
script, WAY early in the boot sequence (in particular before the network
is brought up, since that can introduce actual randomness due to
latency, human intervention on other boxes in your network, name server
delays, DHCP, whathaveyous), on a physical box (not running on
virtualization, as that basically introduces the same problems as
described as when running on an OS), sampling each of your values, and
then appending them to a some log-file.
Now reboot the physical box 100 times (at least not only two). Check the
values. Due to some possible randomness in regard to variation between
e.g. two different clocks, or the angle of the disc in the hard disk
when spinning up, or other such very limited sources of entropy, there
might be more than one set of values that emerge - my point is that
there might be _some_ such sets, but not plenty. Checking the actual bit
patterns as opposed to decimal values also might reveal something. If
you get the same value more than just once, the point is proven, I feel
(obviously in comparison to how many bits of entropy you feel that you
get out of these values).
This is actually very relevant in regard to a _server_, as in "web
server", "application server" etc.
Endre.
